Usage of Renamed Sysinternals Tools - RegistrySet
Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
detection:
selection:
TargetObject|contains:
- '\PsExec'
- '\ProcDump'
- '\Handle'
- '\LiveKd'
- '\Process Explorer'
- '\PsLoglist'
- '\PsPasswd'
- '\Active Directory Explorer'
TargetObject|endswith: '\EulaAccepted'
filter_main_image_names:
Image|endswith:
- '\PsExec.exe'
- '\PsExec64.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
filter_optional_null:
Image: null # Race condition with some logging tools
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False positives are unlikely for most environments. High confidence detection.
Sub-techniques
PUA - Sysinternal Tool Execution - Registry
Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
This rule was derived from the related rule - both detect similar activity with different scope.
Suspicious Execution Of Renamed Sysinternals Tools - Registry
Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
Detects similar activity. Both rules may fire on overlapping events.